i working on logalyze, there limited documentation tool. have done of things, not able add alerts.
following sample xml file event definition
<?xml version="1.0" encoding="utf-8"?> <tns:definitions xmlns:tns="http://logalyze.com" xmlns:xsi="http://www.w3.org /2001/xmlschema-instance" xsi:schemalocation="http://logalyze.com http://repository.logalyze.com/logalyze-definitions-1.0.xsd "> <tns:eventdef version="1" id="a4151076-152c-11e1-91a4-0018de9d251b"> <tns:name>critical event mod sec</tns:name> <tns:description>mod sec</tns:description> <tns:vendor>logalyze</tns:vendor> <tns:group></tns:group> <tns:rule>singlewiththreshold</tns:rule> <tns:criteria> <tns:criterion> <tns:field>_tag</tns:field> <tns:operator>=</tns:operator> <tns:value>mod_sec_warn</tns:value> </tns:criterion> </tns:criteria> <tns:desc>3 login failures within 1m user ${user_name}</tns:desc> <tns:window>60</tns:window> <tns:thresh>3</tns:thresh> <tns:actions> <tns:action type="event"> <tns:prop> <tns:key>field:msg</tns:key> <tns:value>3 login failures within 1m user ${user_name}</tns:value> </tns:prop> <tns:prop> <tns:key>field:user_name</tns:key> <tns:value/> </tns:prop> <tns:prop> <tns:key>field:loghostname</tns:key> <tns:value/> </tns:prop> <tns:prop> <tns:key>field:_priority</tns:key> <tns:value>high</tns:value> </tns:prop> </tns:action> </tns:actions> </tns:eventdef> </tns:definitions> thanks infosec.pk
so should enhance documentation of :-)
you have 1 action type "event". generates artificial log entry, logtype event field nem/value pairs in prop list (msg, user_name, loghostname, _priority). type of log can searched , can input of other event definition.
to send alert have use action type "mail". properties of "mail" action are:
- to: email address
- subject: defaule value is: 'logalyze alert'
the content of mail body generated logalyze, cannot modify it.
